Schneier on Security

Page 473

FBI and Cell Phone Surveillance

We’re learning a lot about how the FBI eavesdrops on cell phones from a recent court battle.

Tags: cell phones, FBI, law enforcement, privacy, surveillance, Verizon

Posted on April 16, 2013 at 6:37 AM • View Comments

Google Glass Enables New Forms of Cheating

It’s mentioned here:

Mr. Doerr said he had been wearing the glasses and uses them especially for taking pictures and looking up words while playing Scattergories with his family, though it is questionable whether that follows the game’s rules.

Questionable? Questionable? It’s just like using a computer’s dictionary while playing Scrabble, or a computer odds program while playing poker, or a computer chess program while playing an in-person game. There’s no question at all—it’s cheating.

We’re seeing the birth of a new epithet, “glasshole.”

Tags: cheating, games, Google, Google Glass

Posted on April 15, 2013 at 4:29 AM • View Comments

Friday Squid Blogging: Illegal Squid Fishing

While we we’re on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters.

So yet again, squid and security collide.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on April 12, 2013 at 4:34 PM • View Comments

Remotely Hijacking an Aircraft

There is a lot of buzz on the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane’s avionics. He even wrote an Android app to do it.

I honestly can’t tell how real this is, and how much of it is the unique configuration of simulators he tested this on. On the one hand, it can’t possibly be true that an aircraft avionics computer accepts outside commands. On the other hand, we’ve seen lots of security vulnerabilities that seem impossible to be true. Right now, I’m skeptical.

EDITED TO ADD (4/12): Three good refutations.

Tags: air travel, Android, cell phones, exploits, Google, hacking

Posted on April 12, 2013 at 10:50 AM • View Comments

Thieves Use Video Camera to Stake Out Properties

If the police can use cameras, so can the burglars.

Tags: cameras, crime, privacy, surveillance, theft

Posted on April 11, 2013 at 6:42 AM • View Comments

Security Externalities and DDOS Attacks

Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited:

The attackers’ goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker’s traffic-sending capacity, so that the amount of traffic arriving at the target is much greater than the attacker can send himself. To do this, the attacker typically tries to induce many computers around the Internet to send large amounts of traffic to the target.

The first stage of the attack involved the use of a botnet, consisting of a large number of software agents surreptitiously installed on the computers of ordinary users. These bots were commanded to send attack traffic. Notice how this amplifies the attacker’s traffic-sending capability: by sending a few commands to the botnet, the attacker can induce the botnet to send large amounts of attack traffic. This step exploits our first externality: the owners of the bot-infected computers might have done more to prevent the infection, but the harm from this kind of attack activity falls onto strangers, so the computer owners had a reduced incentive to prevent it.

Rather than having the bots send traffic directly to Spamhaus, the attackers used another step to further amplify the volume of traffic. They had the bots send queries to DNS proxies across the Internet (which answer questions about how machine names like www.freedom-to-tinker.com related to IP addresses like 209.20.73.44). This amplifies traffic because the bots can send a small query that elicits a large response message from the proxy.

Here is our second externality: the existence of open DNS proxies that will respond to requests from anywhere on the Internet. Many organizations run DNS proxies for use by their own people. A well-managed DNS proxy is supposed to check that requests are coming from within the same organization; but many proxies fail to check this—they’re “open” and will respond to requests from anywhere. This can lead to trouble, but the resulting harm falls mostly on people outside the organization (e.g. Spamhaus) so there isn’t much incentive to take even simple steps to prevent it.

To complete the attack, the DNS requests were sent with false return addresses, saying that the queries had come from Spamhaus—which causes the DNS proxies to direct their large response messages to Spamhaus.

Here is our third externality: the failure to detect packets with forged return addresses. When a packet with a false return address is injected, it’s fairly easy for the originating network to detect this: if a packet comes from inside your organization, but it has a return address that is outside your organization, then the return address must be forged and the packet should be discarded. But many networks fail to check this. This causes harm but—you guessed it—the harm falls outside the organization, so there isn’t much incentive to check. And indeed, this kind of packet filtering has long been considered a best practice but many networks still fail to do it.

I’ve been writing about security externalities for years. They’re often much harder to solve than technical problems.

By the way, a lot of the hype surrounding this attack was media manipulation.

Tags: botnets, denial of service, externalities, hacking, incentives, Internet, malware

Posted on April 10, 2013 at 12:46 PM • View Comments

Last Battle-of-Midway Cryptanalyst

The last cryptanalyst at the Battle of Midway, Rear Admiral Donald “Mac” Showers, USN-Ret, passed away 19 October 2012. His interment at Arlington National Cemetery at Arlington, Virginia, will be Monday, April 15, at 3:00. The family made this a public event to celebrate his life and contributions to the cryptologic community.

Tags: cryptography, history of cryptography

Posted on April 10, 2013 at 6:40 AM • View Comments

Nice Security Mindset Example

A real-world one-way function:

Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter.

To decrypt the message Bob has to read through the whole book to find all the numbers.

And a way to break it:

I still use this example, with an assumption that there is no reverse look-up. I recently taught it to my AMSA students. And one of my 8th graders said, “If I were Bob, I would just call all the phone numbers and ask their last names.”

In the fifteen years since I’ve been using this example, this idea never occurred to me. I am very shy so it would never enter my mind to call a stranger and ask for their last name. My student made me realize that my own personality affected my mathematical inventiveness.

I’ve written about the security mindset in the past, and this is a great example of it.

Tags: cryptography, schools, security education, security mindset

Posted on April 9, 2013 at 1:49 PM • View Comments

Bitcoins in the Mainstream Media

Interesting article from the New Yorker.

I’m often asked what I think about bitcoins. I haven’t analyzed the security, but what I have seen looks good. The real issues are economic and political, and I don’t have the expertise to have an opinion on that.

By the way, here’s a recent criticism of bitcoins.

EDITED TO ADD (4/12): Four more good links.

EDITED TO ADD (4/16): Another good bitcoin story, although it’s from 2011.

Tags: bitcoin

Posted on April 9, 2013 at 6:05 AM • View Comments

Elite Panic

I hadn’t heard of this term before, but it’s an interesting one. The excerpt below is from an interview with Rebecca Solnit, author of A Paradise Built in Hell: The Extraordinary Communities That Arise in Disaster:

The term “elite panic” was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to the present, the major sociologists of disaster—Charles Fritz, Enrico Quarantelli, Kathleen Tierney, and Lee Clarke—proceeding in the most cautious, methodical, and clearly attempting-to-be-politically-neutral way of social scientists, arrived via their research at this enormous confidence in human nature and deep critique of institutional authority. It’s quite remarkable.

Elites tend to believe in a venal, selfish, and essentially monstrous version of human nature, which I sometimes think is their own human nature. I mean, people don’t become incredibly wealthy and powerful by being angelic, necessarily. They believe that only their power keeps the rest of us in line and that when it somehow shrinks away, our seething violence will rise to the surface—that was very clear in Katrina. Timothy Garton Ash and Maureen Dowd and all these other people immediately jumped on the bandwagon and started writing commentaries based on the assumption that the rumors of mass violence during Katrina were true. A lot of people have never understood that the rumors were dispelled and that those things didn’t actually happen; it’s tragic.

But there’s also an elite fear—going back to the 19th century—that there will be urban insurrection. It’s a valid fear. I see these moments of crisis as moments of popular power and positive social change. The major example in my book is Mexico City, where the ’85 earthquake prompted public disaffection with the one-party system and, therefore, the rebirth of civil society.

Tags: cooperation, fear, natural disasters, psychology of security

Posted on April 8, 2013 at 1:30 PM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.